summaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2022-02-14Mark all the rpc 'ops' vectors, for auth, client, service, and xdr,Philip Guenther
as const, moving them from .data to .data.rel.ro. The other BSDs did this a long time ago; NetBSD did a chunk in 1998, which is long enough I didn't bother to get exact dates for others. ok deraadt@ millert@
2022-02-13Handle the case in freechunks where not a single allocation has happened.Otto Moerbeek
ok deraadt@
2022-02-12Avoid potential single byte overread in asn1_parse2().Joel Sing
A fix for this was previously commited in r1.32, however while this added a bounds check the logic means we still fall through and perform the overread. Fix the logic such that we only log the error if the bounds check fails. While here, flip the test around such that we check for validity then print (which is more readable and matches earlier code). ok inoguchi@ tb@
2022-02-12Limit OID text conversion to 64 bits per arc.Joel Sing
The current implementation uses an unsigned long, then switches to BN once the arc exceeds its size. However, the complexity of BN_bn2dec() is quadratic in the length of number being converted. This means that OIDs with excessively large arcs take a lot of computation to convert to text. While the X.660 specification states that arcs are unbounded, in reality they are not overly large numbers - 640K^W64 bits ought to be enough for any arc. Remove BN entirely, switch from unsigned long to uin64_t and fail if an arc exceeds this size. Identified via oss-fuzz timeouts - should fix #41028 and #44372. ok tb@
2022-02-11Fix length check of IP addresses for name constraintsTheo Buehler
An IP address in a name constraint is actually an IP address concatenated with a netmask, so it is twice as long as usual. This fixes a third bug introduced in r1.3 and reported by Volker Schlecht ok jsing
2022-02-11Add missing error check for a2i_GENERAL_NAME()Theo Buehler
Fixes a segfault reported by Volker Schlecht. ok jsing
2022-02-11Fix a double free in v2i_NAME_CONSTRAINTS()Theo Buehler
a2i_GENERAL_NAME() modifies and returns the out argument that was passed in unless out == NULL, in which case it returns something freshly allocated. Thus, in v2i_GENERAL_NAME_ex() we must only free ret if out == NULL so v2i_NAME_CONSTRAINTS() can free correctly. Issue reported by Volker Schlecht ok jsing
2022-02-11Make OBJ_obj2nid() work correctly with NID_undef.Joel Sing
Currently OBJ_obj2nid() with NID_undef returns NID_ccitt - this is due to doing a lookup on an empty value and having NID_undef conflict with an uninitialised NID value. Somewhat based on OpenSSL 0fb99904809. ok tb@
2022-02-11Fix typo in comment for f_favail.Todd C. Miller
From Alf Schlichting
2022-02-10introduce support for storing capability databases in /etc/login.conf.d;Robert Nagy
anytime a class is looked up, the /etc/login.conf.d/${class} file will be checked first for a matching class definition; this will allow us to easily add custom login classes from packages ok millert@
2022-02-08Plug a long standing leak in libtls CRL handlingTheo Buehler
X509_STORE_add_crl() does not take ownership of the CRL, it bumps its refcount. So nulling out the CRL from the stack will leak it. Issue reported by KS Sreeram, thanks! ok jsing
2022-02-08Change second argument of x25519_ge_scalarmult_base() fromTheo Buehler
a 'const uint8_t *a' to a 'const uint8_t a[32]' to match the prototype in curve25519_internal.h and the other variant inside OPENSSL_SMALL. ok millert
2022-02-08Using FILL_KPROC() from sysctl.h after rev 1.223 requires a definitionJonathan Gray
of struct filedesc. Include sys/filedesc.h here to unbreak the build. problem found by and ok tb@
2022-02-07Avoid a NULL dereference in BN_mod_exp2_mont()Theo Buehler
This is a very rarely used function and the crash is hard to reach in practice. Instead of implementing BN_is_odd() badly by hand, just call the real thing. Reported by Guido Vranken ok beck jsing
2022-02-07Check for zero modulus in BN_MONT_CTX_set().Theo Buehler
From OpenSSL 6a009812, prompted by a report by Guido Vranken ok beck jsing
2022-02-06Remove i <= 0 checks from SSL_get_error()Joel Sing
In order for SSL_get_error() to work with SSL_read_ex() and SSL_write_ex() the error handling needs to be performed without checking i <= 0. This is effectively part of OpenSSL 8051ab2b6f8 and should bring the behaviour of SSL_get_error() largely inline with OpenSSL 1.1. Issue reported by Johannes Nixdorf. ok inoguchi@ tb@
2022-02-06Handle zero byte reads/writes that trigger handshakes in the TLSv1.3 stack.Joel Sing
With the legaacy stack, it is possible to do a zero byte SSL_read() or SSL_write() that triggers the handshake, but then returns zero without SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE being flagged. This currently works in the TLSv1.3 stack by returning TLS_IO_WANT_POLLIN or TLS_IO_WANT_POLLOUT, which is then hidden by SSL_get_error(). However, due to upcoming changes to SSL_get_error() this will no longer be the case. In order to maintain the existing legacy behaviour, explicitly handle zero byte reads and writes in the TLSv1.3 stack, following completion of a handshake. ok inoguchi@ tb@
2022-02-06remove please from manual pagesJonathan Gray
ok jmc@ sthen@ millert@
2022-02-05Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_Theo Buehler
OpenSSL chose to break the previous naming convention for ciphers and to adopt TLS_* "RFC" names instead. Unfortunately, these names are exposed in several APIs and some language bindings test for these non-standard names instead of cipher values, which is ... unfortunate (others would say "plain crazy"). We currently have to maintain patches in regress and ports (p5-Net-SSLeay, openssl-ruby-tests - which means that Ruby will pick this up at some point) to work around this difference and that's just not worth the effort. The old AEAD- names will become aliases and continue to work, but in openssl ciphers and netcat output the TLS_* names will now be displayed. "I would be very happy if this gets committed" bluhm ok beck inoguchi, begrudgingly ok jsing
2022-02-05Provide logbl(3) when long double is doubleGeorge Koehler
bcallah@ had same diff ok guenther@
2022-02-05Bye bye S3I.Joel Sing
S3I has served us well, however now that libssl is fully opaque it is time to say goodbye. Aside from removing the calloc/free/memset, the rest is mechanical sed. ok inoguchi@ tb@
2022-02-04Bump libressl's version in pkgconfig to 2.0.0Theo Buehler
LibreSSL's pc files effectively hardcode the version to 1.0.0 since LibreSSL exists. That probably never made much sense. This causes some pain for ports that "need 'openssl' ['>= +1.1.0'] found '1.0.0'" or similar while they would build perfectly fine with LibreSSL. This only affects OpenBSD. We do not put the actual LibreSSL version in there since it may cause trouble Discussed with sthen, millert, inoguchi, beck over the past year. Diff from/ok sthen
2022-02-04Remove a strange inheritance check from addr_validate_path_internal()Theo Buehler
The trust anchor can't inherit, but the code says that it can inherit just not if the leaf tries to inherit from that. This makes no sense and doesn't match what is done on the asid side. ok jsing
2022-02-04Fix capitalization of ChaCha20Theo Buehler
2022-02-03Fix copy-paste error: X509_V_ERR_CRL_SIGNATURE_FAILURE means that theTheo Buehler
CRL's signature is invalid, not the certificate's.
2022-02-03Cleanup/simplify ssl_cert_type()Joel Sing
Remove the X509 argument as it is unused - this was passed so that ssl_cert_type() can get the public key from the X509 object if the EVP_PKEY argument is NULL, however this is never the case. ok tb@
2022-02-01Provide our own signature padding defines.Joel Sing
Rather than leaking libcrypto defines through the tls_sign_cb and tls_signer_sign() interfaces, provide and use our own TLS_PADDING_* defines. ok inoguchi@ tb@
2022-02-01Revise signer callback interface.Joel Sing
The current design of tls_sign_cb provides a pointer to a buffer where the signature needs to be copied, however it fails to provide a length which could result in buffer overwrites. Furthermore, tls_signer_sign() is designed such that it allocates and returns ownership to the caller. Revise tls_sign_cb so that the called function is expected to allocate a buffer, returning ownership of the buffer (along with its length) to the caller of the callback. This makes it far easier (and safer) to implement a tls_sign_cb callback, plus tls_signer_sign can be directly plugged in (with an appropriate cast). While here, rename and reorder some arguments - while we will normally sign a digest, there is no requirement for this to be the case hence use 'input' and 'input_len'. Move padding (an input) before the outputs and add some additional bounds/return value checks. This is technically an API/ABI break that would need a libtls major bump, however since nothing is using the signer interface (outside of regress), we'll ride the original minor bump. With input from tb@ ok inoguchi@ tb@
2022-01-31Inline RELOC_* into boot_md.c and simplify the code based on whatPhilip Guenther
we can verify at build time. Track dt_pltgot as an Elf_Addr instead of an Elf_Addr* to eliminat casts on both setting and using. Set RELATIVE_RELOC so the ld.so Makefile can verify that it has just the relocation types we expect. Nothing depends on archdep.h pulling in other #includes anymore, so delete the #includes and hide the RELOC_* functions that are only used by lib/csu behind "#ifdef RCRT0" Tested with full build.
2022-01-31Update libexpat to 2.4.4. This fixes CVE-2022-23852 and CVE-2022-23990.Alexander Bluhm
Relevant for OpenBSD are security fixes #550 #551 and other changes #553 (missing in change log). No library bump necessary. OK millert@
2022-01-29Add limits.h for INT_MAX in tls_signer.cKinichiro Inoguchi
ok jsing@ tb@
2022-01-28Error check for sk_push in libsslKinichiro Inoguchi
CID 118976 118979 ok tb@
2022-01-28Error check for sk_push in libsslKinichiro Inoguchi
CID 24838 comment and ok tb@
2022-01-28Only memcpy() into imsg->data if datalen is not 0. Passing a NULL pointerClaudio Jeker
to memcpy() is UB no matter if len is 0. Reported by fouzhe on openbgpd-portable github page. OK tb@
2022-01-28When it's the possessive of 'it', it's spelled "its", without thePhilip Guenther
apostrophe.
2022-01-28Expose tls_signer_error()Joel Sing
Add tls_signer_error to Symbols.list - this was missed during the last libtls minor bump and can ride along. ok deraadt@
2022-01-27sort includes as usualTheo Buehler
2022-01-27Do not depend on engine.h pulling in err.h and evp.hTheo Buehler
2022-01-26whitespaceTheo Buehler
2022-01-25minor bump after api additiomEric Faurot
2022-01-25Introduce a signer interface intented to make TLS privsep simplerEric Faurot
to implement. Add a tls_config_set_sign_cb() function that allows to register a callback for the signing operation on a tls_config. When used, the context installs fake pivate keys internally, and the callback receives the hash of the public key. Add a tls_signer_*() set of functions to manage tls_signer objects. A tls_signer is an opaque structure on which keys are added. It is used to compute signatures with private keys identified by their associated public key hash. Discussed with and ok jsing@ tb@
2022-01-25Rewrite paragraph to refer to EVP_CIPHER_CTX_new() and HMAC_CTX_new()Theo Buehler
to match reality. spotted by/ok jmc
2022-01-25Remove some HMAC_CTX_init() remnants in HMAC(3).Theo Buehler
spotted by/ok jmc
2022-01-25Fix another return 0 bug in SSL_shutdown()Theo Buehler
If tls13_recod_layer_send_pending() returns TLS13_IO_EOF, we will bubble this up to the caller via tls13_legacy_return_code(), which translates TLS13_IO_EOF to 0. This can happen if we have pending post handshake-handshake data and the peer closes the pipe. Presumably tls13_legacy_shutdown() should be rewritten yet again. ok jsing
2022-01-25Avoid an infinite loop in SSL_shutdown()Theo Buehler
If the peer closed the write side of the connection and we have not yet received the close_notify, SSL_shutdown() makes an extra read to try and read the peer's close_notify from the pipe. In that situation, we receive EOF. The legacy stack will return -1 while the TLSv1.3 stack will end up returning 0. Since the documentation is not super explicit about what should be done if SSL_shutdown() returns 0, some applications will enter an infinite loop. The code and documentation indicate that SSL_shutdown() should only be called once more if it returned 0. Newer versions of the OpenSSL documentation explicitly say that one should call SSL_read() if SSL_shutdown() returns 0 in order to retrieve the close_notify. Doing this would also have avoided this infinite loop. Reported by Carsten Arzig and bluhm with a test case extracted from the syslogd tests using IO::Socket::SSL, which has such an infinite loop. ok bluhm jsing
2022-01-24Document X509_V_ERR_UNNESTED_RESOURCE. Previous version looked goodTheo Buehler
to claudio
2022-01-24Garbage collect unused ret in ssl3_get_new_session_ticket()Theo Buehler
ret is used to bubble up an error from ssl3_get_message() and is unused otherwise. Zap dead store and silly ret = 1; return ret; ok inoguchi jsing
2022-01-24In ssl3_get_server_key_exchange() switch a 'goto err' toTheo Buehler
'goto fatal_err' so that the illegal_parameter alert is actually sent in case of X509_get0_pubkey() failure. ok inoguchi jsing
2022-01-24Avoid use of uninitialized in tlsext_sni_server_parse()Theo Buehler
If the hostname is too long, tlsext_sni_is_valid_hostname() will fail without having initialized *is_ip. As a result, the garbage value could lead to accepting (but otherwise ignoring) overlong and possibly invalid hostnames without erroring in tlsext_sni_server_parse(). ok inoguchi jsing
2022-01-24Garbage collect the unused rv in tls1_check_ec_server_key() andTheo Buehler
convert to usual form of error checking. ok inoguchi jsing